Comments on: 10 Things Every Lawyer Should Know About Legal SaaS (Part 4): Security http://www.goclio.com/blog/2009/06/10-things-every-lawyer-should-know-about-legal-saas-part-4-security/ Practice Management Simplified Tue, 02 Mar 2010 11:07:34 +0000 http://wordpress.org/?v=2.8.4 hourly 1 By: Official Clio Blog » Cloud Coverage http://www.goclio.com/blog/2009/06/10-things-every-lawyer-should-know-about-legal-saas-part-4-security/comment-page-1/#comment-379 Official Clio Blog » Cloud Coverage Wed, 02 Sep 2009 14:25:11 +0000 http://www.goclio.com/blog/?p=244#comment-379 [...] with our earlier discussions on security, privacy and data availability, Niki Black published an informative article on the Lawyerist that [...] [...] with our earlier discussions on security, privacy and data availability, Niki Black published an informative article on the Lawyerist that [...]

]]> By: The Clio Team http://www.goclio.com/blog/2009/06/10-things-every-lawyer-should-know-about-legal-saas-part-4-security/comment-page-1/#comment-247 The Clio Team Tue, 23 Jun 2009 19:04:40 +0000 http://www.goclio.com/blog/?p=244#comment-247 Great point. At a minimum there should be a maximum number of password attempts (whether it's 3 or 10 or 20 attempts) to avoid brute-force "dictionary" attacks. Another tactic for defending against brute-force attacks is to have a timeout for password attempts for a certain amount of time (say 10 minutes) after a certain number of unsuccessfull attempts. As you may have found, clients can get frustrated if they are the legitimate users of the account and get locked out, so I think it's important to balance security and accessibility in this case. I think the 10-minute timeout helps balance both requirements. Best regards, Jack Great point. At a minimum there should be a maximum number of password attempts (whether it’s 3 or 10 or 20 attempts) to avoid brute-force “dictionary” attacks.

Another tactic for defending against brute-force attacks is to have a timeout for password attempts for a certain amount of time (say 10 minutes) after a certain number of unsuccessfull attempts.

As you may have found, clients can get frustrated if they are the legitimate users of the account and get locked out, so I think it’s important to balance security and accessibility in this case. I think the 10-minute timeout helps balance both requirements.

Best regards,
Jack

]]> By: Mari http://www.goclio.com/blog/2009/06/10-things-every-lawyer-should-know-about-legal-saas-part-4-security/comment-page-1/#comment-246 Mari Tue, 23 Jun 2009 18:32:17 +0000 http://www.goclio.com/blog/?p=244#comment-246 What do you think of the '3 strikes you're out' rule with passwords? I understand the benefits but I find a lot of clients have a lot of trouble with it.... What do you think of the ‘3 strikes you’re out’ rule with passwords? I understand the benefits but I find a lot of clients have a lot of trouble with it….

]]>